BAN Logic A Logic of Authentication
|
|
- Coral Holt
- 6 years ago
- Views:
Transcription
1 BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1
2 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí, and Roger Needham. The logic is, as they stated, a logic of belief and action. It contains no logical inversions; therefore it cannot be used to prove a protocol flawed. But when proof that a protocol is correct cannot be obtained, that protocol deserves to be treated with grave suspicion. 2
3 Notation The logic reasons about beliefs. If Alice believes a proposition P, we write A P and say A believes P. Alice believes that K AT is a good key for communicating with Trent. This is expressed as A A K AT T ; we say A believes K AT is a good key for A and T. Trent acts as authentication server or certification authority in many of the protocols analyzed by BAN logic. If Alice believes that Trent can be trusted to create a good key for communication with Bob, we write A T A K ; we say A believes T has jurisdiction over or speaks for good keys for A and B. 3
4 Messages When Alice receives a message (which, in our logic, always contains a proposition), we write A P and say A sees P. Seeing is not believing unless you know who said it. Note that, in this logic, nobody says anything he or she does not believe. If Alice sent a message containing the statement P, we may write A P and say A once said P. But, Alice may have said it so long ago that we can no longer trust the contents of her message. We need to know that Alice s statement is fresh. When a statement P is fresh we write #(P) and say P is fresh. 4
5 Notation Summary P X P X P X #(P) P X P believes X P sees X P once said X P is fresh P has jurisdiction over X P K Q K is a good key for communicating between K P P and Q P has K as a public key P X Q X Y X is a secret known only to P and Q X combined with (secret) Y 5
6 Axioms We adopt the notation in the BAN papers: P Q then Q is true. means if P is true We assume that participants in protocols are good logicians: if Alice believes a proposition X and X, then she believes Y Y too. This is true for the axioms also. 6
7 Message meaning rules P P K Q, P {X} K P Q X P K Q, P {X} K 1 P Q X P P Y Q, P X Y P Q X 7
8 Nonce Verification P #(X), P Q X P Q X 8
9 Jurisdiction Rule P Q X, P Q X P X 9
10 More Rules P X, P Y P (X, Y ) P (X, Y ) P X P Q (X, Y ) P Q X P Q (X, Y ) P Q X 10
11 And More P (X, Y ) P X P X Y ) P X P P K Q, P {X} K P X 11
12 And More P K P, P {X} K P X P K Q, P {X} K 1 P X P #(X) A #((X, Y )) 12
13 Analysis of Protocols Most analyses start with assumptions such as A A K AT T A T A K AB B B K BT T B T B K AB A #(N A ) B #(N B ) T A K AB and need to conclude with A A K AB B A K AB A B A K AB B A A K AB 13
14 The Ottway-Rees Authentication Protocol 1. M, A, B, {N A, M, A, B} KAT 2. M, A, B, {N A, M, A, B} KAT, {N B, M, A, B} KBT 3. M, {N A, K AB } KAT, {N B, K AB } KBT 4. M, {N A, K AB } KAT 14
15 Analysis The Protocol 1. M, A, B, {N A, M, A, B} KAT {N A, N C } KAS 2. M, A, B, {N A, M, A, B} KAT, {N B, M, A, B} KBT {N A, N C } KAS, {N B, N C } KBS 3. M, {N A, K AB } KAT, {N B, K AB } KBT {N A, A K AB, B N C } KAT, {N B, A K AB, A N C } KBT 4. M, {N A, K AB } KAT {N A, A K AB, B N C } KAT 15
16 Analysis Assumptions A A K AT T T A K AT T B B K BT T T B K BT T T A K AB A T A K AB A T B X B T B K AB B T A X A #(N A ) B #(N B ) A #(N C ) 16
17 Analysis Derivations B {N B, A K AB } KBT, B B K BT T B T N B, A K AB B {N B, A K AB } KBT, B #(N B ) B #(A K AB ) B T A K AB, B B T A K AB #(A K AB ) B T A K AB, B T A K AB B A K AB 17
18 Analysis Conclusion Similarly, we derive A A K AB. We can also derive but we can only prove A B N C, B A N C. N A is not needed, N C can be used instead. 18
19 the Needham-Schroeder Protocol 1. A, B, N A 2. {N A, B, K AB, {A, K AB } KBT } KAT 3. {A, K AB } KBT 4. {N B } KAB 5. {N B 1} KAB 19
20 Needham-Schroeder Analysed Assumptions: T A K AB A A K AT T T A K AT T B B K BT T T B K BT T A T A K AB A T #(K AB ) B T B K AB A #(N A ) B #(N B ) T #(K AB ) B #(A K ) 20
21 Messages 1. A, B, N A 2. {N A, B, K AB, {A, K AB } KBT } KAT 3. {A, K AB } KBT {N A, A K AB, #(A K AB ), {A K AB } KBT } KAT {A K AB } KBT 4. {N B } KAB 5. {N B 1} KAB {N B, A K AB } KAB f r omb {N B, A K AB } KAB f r oma 21
22 Analysis As in the Ottway-Rees protocol, we have the message for Alice saying {N A, A K AB } KAT, so we can prove in an identical manner A A K AB. But Bob gets no message linking Trent s statement A K AB to something he knows to be fresh. B T A K AB. We cannot get beyond 22
23 Needham-Schroeder Exposed This exactly puts the finger on the weakness in the Needham- Schroeder protocol: Mallory could record Alice and Bob s key exchange and trick Bob into accepting the key in Message 3 any time he chooses. Mallory will be thwarted, however, when he cannot respond to Bob s Message 4. But if he can afford to spend a year of CPU time cracking K AB, he can get Bob to accept and use a year-old key. 23
A Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationDeriving GDOI. Dusko Pavlovic and Cathy Meadows
Deriving GDOI Dusko Pavlovic and Cathy Meadows September 2003 1 Outline 1. Trace logic 2. Axioms and rules 3. Deriving core GDOI 4. Global encryption and hashing transformations 5. Adding PFS and POP options
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationModel Checking Security Protocols Using a Logic of Belief
Model Checking Security Protocols Using a Logic of Belief Massimo Benerecetti 1 and Fausto Giunchiglia 1,2 1 DISA - University of Trento, Via Inama 5, 38050 Trento, Italy 2 IRST - Istituto Trentino di
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationMATH UN Midterm 2 November 10, 2016 (75 minutes)
Name: UNI: Instructor: Shrenik Shah MATH UN3025 - Midterm 2 November 10, 2016 (75 minutes) This examination booklet contains 6 problems. There are 10 sheets of paper including the front cover. This is
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationKEY DISTRIBUTION 1 /74
KEY DISTRIBUTION 1 /74 The public key setting Alice M D sk[a] (C) C Bob pk[a] C $ E pk[a] (M) σ $ S sk[a] (M) M,σ Vpk[A] (M,σ) Bob can: send encrypted data to Alice verify her signatures as long as he
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationA New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)
A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC) Majid Alshammari and Khaled Elleithy Department of Computer Science and Engineering University of Bridgeport
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationAnalysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt
Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt TOM COFFEY, PUNEET SAIDHA, PETER URROWS Data Communication Security Laboratory University of Limerick
More informationYou know that this guy is Napoléon
You know that this guy is Napoléon He believes he is Napoleon, but it is well known that I am Napoleon. Epistemic Logic and Modal Logic Pierre Lescanne, LIP, ENS de Lyon 6 Examples related to computers
More informationQuantum Simultaneous Contract Signing
Quantum Simultaneous Contract Signing J. Bouda, M. Pivoluska, L. Caha, P. Mateus, N. Paunkovic 22. October 2010 Based on work presented on AQIS 2010 J. Bouda, M. Pivoluska, L. Caha, P. Mateus, N. Quantum
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationUniversal Blind Quantum Computing
Universal Blind Quantum Computing Elham Kashefi Laboratoire d Informatique de Grenoble Joint work with Anne Broadbent Montreal Joe Fitzsimons Oxford Classical Blind Computing Fundamentally asymmetric unlike
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationThe RSA public encryption scheme: How I learned to stop worrying and love buying stuff online
The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online Anthony Várilly-Alvarado Rice University Mathematics Leadership Institute, June 2010 Our Goal Today I will
More informationResearch Statement Christopher Hardin
Research Statement Christopher Hardin Brief summary of research interests. I am interested in mathematical logic and theoretical computer science. Specifically, I am interested in program logics, particularly
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationDiscrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols Max Kanovich 1,5 Tajana Ban Kirigin 2 Vivek Nigam 3 Andre Scedrov 4,5 and Carolyn Talcott 6 1 Queen Mary, University of London
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationMULTI-AGENT ONLY-KNOWING
MULTI-AGENT ONLY-KNOWING Gerhard Lakemeyer Computer Science, RWTH Aachen University Germany AI, Logic, and Epistemic Planning, Copenhagen October 3, 2013 Joint work with Vaishak Belle Contents of this
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationSecurity of NEQR Quantum Image by Using Quantum Fourier Transform with Blind Trent
Security of NEQR Quantum Image by Using Quantum Fourier Transform with Blind Trent Engin ŞAHİN*, İhsan YILMAZ** arxiv:1801.10364v1 [quant-ph] 31 Jan 2018 * Department of Computer and Instructional Technologies
More informationDiscrete Mathematics and Probability Theory Summer 2014 James Cook Midterm 1 (Version B)
CS 70 Discrete Mathematics and Probability Theory Summer 2014 James Cook Midterm 1 (Version B) Instructions: Do not turn over this page until the proctor tells you to. Don t write any answers on the backs
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More information2.3 Measuring Degrees of Belief
Richard Johns From A Theory of Physical Probability, U. of T. Press, 2002 2.3 Measuring Degrees of Belief Having sketched out the nature of logical probability, let us now proceed to giving a precise account
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationA probabilistic quantum key transfer protocol
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 013; 6:1389 1395 Published online 13 March 013 in Wiley Online Library (wileyonlinelibrary.com)..736 RESEARCH ARTICLE Abhishek Parakh* Nebraska
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture 1: Shannon s Theorem
Lecture 1: Shannon s Theorem Lecturer: Travis Gagie January 13th, 2015 Welcome to Data Compression! I m Travis and I ll be your instructor this week. If you haven t registered yet, don t worry, we ll work
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationStrand Spaces: Why is a Security Protocol Correct?
Strand Spaces: Why is a Security Protocol Correct? F. Javier Thayer Fábrega Jonathan C. Herzog Joshua D. Guttman The MITRE Corporation fjt, jherzog, guttmang@mitre.org Abstract A strand is a sequence of
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationMobile Driver License (mdl) June 20, Geoff Slagle Director, Identity Management AAMVA
Mobile Driver License (mdl) June 20, 2017 Geoff Slagle Director, Identity Management AAMVA CDS Committee & eid WG What is a mdl? Functional requirements mdl Scope Solution concepts Initiatives (including
More informationstructure of such protocols, the difficulty is that logics are useful only when the semantics is precise, and most of the problems seem to relate to p
Information based reasoning about security protocols R. Ramanujam and S. P. Suresh 1 The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. Abstract We propose a notion of information
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationBy the way, = = 693 (mod 1823) and ord(3) = 911. I list the commands I used in Mathematica to solve this problem here.
9.1 Shrank s algorithm n = 1823, m = n = 43, g = 5, y = 693. The extended Euclidean algorithm gives 5 1094 3 1823 = 1, i.e., g 1 = 1094 (mod n). Compute (g im mod n) and (y g i mod n) for i = 0, 1,...,
More informationLogic and Proofs. Jan COT3100: Applications of Discrete Structures Jan 2007
COT3100: Propositional Equivalences 1 Logic and Proofs Jan 2007 COT3100: Propositional Equivalences 2 1 Translating from Natural Languages EXAMPLE. Translate the following sentence into a logical expression:
More informationBinary decision diagrams for security protocols
for Instytut Informatyki Teoretycznej i Stosowanej Politechnika Częstochowska 4 czerwca 2012 roku 1 2 3 4 Infrastructure with Intruder Threat template 5 References BDD definition Definition An BDD G
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationThe Needham-Schroeder-Lowe protocol
The Needham-Schroeder-Lowe protocol Unbounded sessions Principals run either initiator or responder role in each of their sessions We adopt the following conventions throughout this paper: honest principals
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationA Verifiable Language for Cryptographic Protocols
Downloaded from orbit.dtu.dk on: Jan 30, 2018 A Verifiable Language for Cryptographic Protocols Nielsen, Christoffer Rosenkilde; Nielson, Flemming; Nielson, Hanne Riis Publication date: 2009 Document Version
More information